b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n                            Office of Inspections and Evaluations\n\n\n\n\n                 Revised Procedures Preceded Significant Increases\n                   in Reports of Potential Disclosure of Personally\n                               Identifiable Information\n\n\n\n\n                      May 18, 2010 / Revised September 23, 2010\n\n                           Reference Number: 2010-IE-R005\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                              DEPARTMENT OF THE TREASURY\n\n                                                    WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                             May 18, 2010\n\n\n\nMEMORANDUM FOR DEPUTY COMMISSIONER FOR OPERATIONS SUPPORT\n\nFROM:                        R. David Holmgren\n                             Deputy Inspector General for Inspections and Evaluations\n\nSUBJECT:                     Final Evaluation Report \xe2\x80\x93 Revised Procedures Preceded Significant\n                             Increases in Reports of Potential Disclosure of Personally Identifiable\n                             Information (# IE-10-003)\n\nThis report presents the results of our evaluation to determine why the Internal Revenue Service\n(IRS) experienced a significant increase in the number of reported potential disclosures of\npersonally identifiable information.\nThis evaluation focused on the efforts by the IRS Office of Privacy, Information Protection and\nData Security to identify and manage potential disclosure of personally identifiable information\nby the IRS. Inappropriate, unauthorized disclosure of personally identifiable information can\nplace taxpayers at increased risk for identity theft, which remains a serious problem in the\nUnited States. Identity theft can create havoc in an individual\xe2\x80\x99s life while creating barriers to\nvoluntary compliance for those taxpayers who have been victims of this crime.\n\nSynopsis\nThis evaluation concentrated on a reported increase in the number of disclosure incidents that\nbegan in April 2009. We analyzed data from IRS systems characterizing disclosure incidents,\ninterviewed field employees, and assessed the likely impact of new policy that changed internal\nIRS procedures on the reporting of potential disclosures. Our analysis leads us to conclude that\nthe increase in disclosure incidents was related to revised reporting guidelines and requirements\npublished by the IRS in March and September 2009.\nWhile we make no recommendations in this report, IRS managers reviewed the draft report and\nconcurred with the facts we developed and reported.\n\x0c             Revised Procedures Preceded Significant Increases in Reports\n             of Potential Disclosure of Personally Identifiable Information\n\n\n\n\nPlease contact me at (202) 927-7048 if you have questions or Kevin Riley, Director, Office of\nInspections and Evaluations, at (972) 249-8355.\n\n\n\n\n                                                                                                2\n\x0c                   Revised Procedures Preceded Significant Increases in Reports\n                   of Potential Disclosure of Personally Identifiable Information\n\n\n\n\n                                             Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 2\n          Reporting Procedures Were Revised ............................................................ Page 3\n          Interviewed Employees Were Aware of New Procedures ............................ Page 5\n          Conclusion .................................................................................................... Page 5\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 7\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 8\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 9\n\x0c      Revised Procedures Preceded Significant Increases in Reports\n      of Potential Disclosure of Personally Identifiable Information\n\n\n\n\n                       Abbreviations\n\nIRS              Internal Revenue Service\nPII              Personally Identifiable Information\n\x0c                Revised Procedures Preceded Significant Increases in Reports\n                of Potential Disclosure of Personally Identifiable Information\n\n\n\n\n                                            Background\n\nDuring 2009, the Treasury Inspector General for Tax Administration became concerned about an\nincrease in reports of potential disclosure of personally identifiable information (PII.)1\nInappropriate disclosure of PII can place individuals at higher risk of identity theft and may\nerode public confidence in the Nation\xe2\x80\x99s tax system, which is built upon the principle of voluntary\ncompliance with the provisions of the tax code.\nThe Federal Trade Commission reports that perpetrators of identity theft continue to victimize\nhundreds of thousands of American citizens. While the overall number of identity theft\ncomplaints dropped from 2008 to 2009, identity theft remains the single largest type of\ncomplaint submitted to the Federal Trade Commission\xe2\x80\x99s Consumer Sentinel Network with over\n1.3 million complaints received since 2005.2\nIn July 2007, the Internal Revenue Service (IRS) established the Office of Privacy, Information\nProtection and Data Security to protect sensitive data by reducing the risk of inadvertent\ndisclosures by IRS employees. The Office conducts assessments of potential disclosures that\nmight place taxpayers at increased risk for identity theft. In 2009, the Office investigated over\n2,900 cases, which was a significant increase from 2008. When taxpayer risk has been\nidentified, the Office notifies taxpayers of potential issues and may offer credit monitoring or\nrelated services that are designed to reduce the risk of actual identity theft.\nThis review was initiated as a limited scope evaluation of the disclosure incident reporting\nprocess, with a focus on incidents that were reported during calendar year 2009. The intent was\nto determine the reason for the increased rate of disclosure incident reporting.\nThe review was performed at the IRS National Headquarters in Washington, D.C., and supported\nby field visits to Philadelphia, Pennsylvania, and Austin, Texas, during the period from\nNovember 2009 through March 2010. This review was performed in accordance with the\nCouncil of the Inspectors General for Integrity and Efficiency Quality Standards for Inspections.\nDetailed information on our objective, scope, and methodology is presented in Appendix I.\nMajor contributors to the report are listed in Appendix II.\n\n\n1\n  Personally identifiable information (PII) refers to information that can be used to distinguish or trace an\nindividual\xe2\x80\x99s identity, alone or when combined with other personal or identifying information. Examples of PII\ninclude: names, Social Security Number, biometric records, date of birth, financial or bank account information,\nand driver\xe2\x80\x99s license numbers.\n2\n  The complete Consumer Sentinel Network Data Book for January \xe2\x80\x93 December 2009 (released February 2010) is\navailable on the Federal Trade Commission website at http://ftc.gov/sentinel/reports/sentinel-annual-\nreports/sentinel-cy2009.pdf.\n                                                                                                            Page 1\n\x0c               Revised Procedures Preceded Significant Increases in Reports\n               of Potential Disclosure of Personally Identifiable Information\n\n\n\n\n                                   Results of Review\n\nDuring 2009, the IRS took several steps to improve its ability to report and assess potential\nbreaches of PII. Revisions to incident reporting procedures were followed by significant\nincreases in the number of disclosure incidents (2,336 of 2,959 for all incident types recorded in\n2009), exceeding the number of all incident types from the prior year (725 recorded in 2008).\n                        Figure 1: Potential Disclosures Investigated\n\n\n\n\n         Source: Treasury Inspector General for Tax Administration derived from IRS PII Tools\n         Database.\n\n\nIRS categorizes incidents involving the potential breach of PII as a Loss, Theft, or Disclosure.\n   \xe2\x80\xa2   Loss: PII is lost during handling and/or shipment of paper-based records or computer\n       media containing PII in electronic format.\n   \xe2\x80\xa2   Theft: PII is stolen from IRS facilities or while in custody of IRS employees. Examples\n       include the theft of computers and or related media, mobile devices, and paper files\n       containing PII.\n   \xe2\x80\xa2   Disclosure: PII is disclosed to unauthorized parties during routine business activity.\n       Examples include: a person calling the IRS on a toll-free assistance number, purporting\n       to be a taxpayer they are not and obtaining that taxpayer\xe2\x80\x99s information; IRS employees\n       failing to follow disclosure procedures and not properly authenticating the caller\xe2\x80\x99s\n\n                                                                                                Page 2\n\x0c              Revised Procedures Preceded Significant Increases in Reports\n              of Potential Disclosure of Personally Identifiable Information\n\n\n\n\n       identity through a series of challenge questions for which only the taxpayer should have\n       correct responses; or erroneous correspondence, where a notice, letter or other form of\n       correspondence inappropriately contains another taxpayer\xe2\x80\x99s information or is somehow\n       misdirected to an incorrect address and opened by a recipient who is not the taxpayer.\n\nReporting Procedures Were Revised\nIn March 2009, the IRS Office of Privacy, Information Protection and Data Security\nimplemented revisions to how IRS personnel were required to report on these types of incidents.\nThe IRS uses its Computer Security Incident Response Center as a centralized reporting facility\nfor all computer security and privacy incidents. As part of the revised process, Privacy,\nInformation Protection and Data Security, and Computer Security Incident Response Center staff\nmodified reporting mechanisms to better integrate the reporting of disclosure incidents with other\nsecurity items. This action provided front-line employees and managers with a single\nmechanism to report on all disclosure incidents not involving taxpayer correspondence.\nDue to the volume and complexity of taxpayer correspondence (in excess of 190 million notices\nand letters in calendar year 2009), the Privacy, Information Protection and Data Security staff\nclarified that all taxpayer correspondence issues should first be reviewed by the IRS Notice\nGatekeeper. The Notice Gatekeeper is responsible for conducting an initial assessment of all\nerroneous correspondence issues to determine the cause of the problem and to coordinate\noperational steps to mitigate any taxpayer impact that may result. As part of the assessment, the\nNotice Gatekeeper is responsible for verifying and reporting all disclosures of personally\nidentifiable information resulting from erroneous taxpayer correspondence to the centralized\nreporting facility at the Computer Security Incident Response Center.\nOn March 29, 2009, the revised guidance was published for all front-line employees and their\nmanagers. In the following months, the number of reported incidents spiked (see Figure 2).\nIn September 2009, subsequent policy was issued by the IRS Wage and Investment Division that\nfurther clarified the types of erroneous correspondence that should be reported first to the Notice\nGatekeeper. This guidance formalized the expansion of erroneous correspondence to include\nnotices, letters, transcripts, faxes and other electronic transmissions containing taxpayer\ninformation where these communications contained incorrect information were delivered to a\nwrong party or were created by mistake. Previously, erroneous correspondence was narrowly\nlimited to notices.\nReview of the IRS PII Tools Database reflects a second, much smaller increase in incidents\nreported during September 2009, the majority of which were associated with Notice Gatekeeper\nissues.\n\n\n\n\n                                                                                            Page 3\n\x0c                 Revised Procedures Preceded Significant Increases in Reports\n                 of Potential Disclosure of Personally Identifiable Information\n\n\n\n\n                              Figure 2: Disclosure Incidents \xe2\x80\x93 2009\n\n\n           450\n                                     394\n           400                              357\n                                                   339\n           350\n           300\n           250                                                         233\n                                                         211\n                                                                191\n           200\n                               139                                            153\n           150                                                                      116\n                                                                                            89\n           100          65\n                   49\n            50\n             0\n                  Jan   Feb    Mar   Apr    May    Jun    Jul   Aug    Sep    Oct   Nov    Dec\n\n\n       Source: Treasury Inspector General for Tax Administration derived from IRS PII Tools Database\n       (based on Date of Incident; excludes Loss/Theft Incidents.)\n\n\n\nThe increase in disclosure incidents, which include both telephone and correspondence\ndisclosures, contrasts with taxpayer telephone call volumes for the same period. For calendar\nyear 2009, IRS reported 2,336 disclosure incidents compared to total call volumes in excess of\n38 million calls and notice/letter volumes exceeding 190 million. During the time of the\nidentified increase in disclosure incidents, IRS experienced call volumes in the range of five\nmillion calls per month each for February, March, and April 2009. Call volume dropped to just\nover three million calls in May 2009. This suggests that the increase in the number of incidents\nwas unrelated to call volumes, which remained relatively steady from February through April,\nwhile the increase in disclosures began immediately following the issuance of revised procedures\nat the end of March.\n\n\n\n\n                                                                                                       Page 4\n\x0c              Revised Procedures Preceded Significant Increases in Reports\n              of Potential Disclosure of Personally Identifiable Information\n\n\n\n\nInterviewed Employees Were Aware of New Procedures\nIn November 2009, we interviewed employees from a field office where data showed disclosure\nincidents had occurred. In each interview, employees expressed high awareness of revised IRS\ndisclosure procedures and the associated reporting process should a potential disclosure occur.\nWe were provided examples where employees had self-reported suspected disclosures and were\nprovided evidence where IRS disclosure procedures are reviewed as a normal part of quality\nreview processes conducted at the supervisory and at the program level.\nWe also observed locally implemented procedures that were adopted to prevent inadvertent\ndisclosures. For example, the IRS Income Verification Expedite Service is a fee-based program\nthat, with taxpayer consent, transmits taxpayer information to participating mortgage and\nfinancial companies. The program facilitates income verification for taxpayers seeking to\nborrow money from those companies. Many mortgage and financial companies submit Income\nVerification Expedite Service requests in bulk and IRS processes these requests in batches of up\nto 50 taxpayers per batch.\nThe secure transmission of Income Verification Expedite Service information is dependent upon\nan IRS employee correctly entering a unique routing code into an information system. The\nsystem provides no validation of that code and sporadic transcription errors caused taxpayer\ninformation to be delivered to the wrong party. These incidents were identified and reported in\naccordance with disclosure incident procedures.\nIRS management worked with Income Verification Expedite Service employees to implement a\nsecond-level review intended to ensure the routing code has been entered correctly. The process\nrequires that a lead clerk or supervisor review the input screen to verify the correct routing code\nis input and to record his/her validation of the code by signing a form that is maintained with the\nbatched requests.\nFinally, we identified no deviation from IRS incident reporting procedures, nor any other\nindividual causal factor that may have accounted for the overall increase in potential disclosure\nincidents.\n\nConclusion\nBetween March and June 2009, the IRS experienced a sharp increase in the number of reported\nPII disclosure incidents. An additional spike occurred in September 2009. Our review was\nconducted to determine the cause of the increase and to determine if taxpayer personally\nidentifiable information was being put at risk by the IRS. Our analysis of reported incident data,\npolicy changes, and interviews with front-line personnel lead us to conclude that the increase in\ndisclosure incidents was related to revised reporting guidelines and requirements published by\nthe IRS in March and September 2009. These guidelines formalized the expansion of erroneous\ncorrespondence to include notices, letters, transcripts, faxes and other electronic transmissions\n                                                                                             Page 5\n\x0c               Revised Procedures Preceded Significant Increases in Reports\n               of Potential Disclosure of Personally Identifiable Information\n\n\n\n\ncontaining taxpayer information where these communications contained incorrect information,\nwere delivered to a wrong party, or were created by mistake. Improved reporting procedures\nbetter integrated the reporting of disclosure incidents with other security items and provided\nfront-line IRS employees and managers with a single mechanism to report all disclosure\nincidents. As a result, the IRS is in a better position to prevent potential disclosures of sensitive\ntaxpayer information.\n\n\n\n\n                                                                                               Page 6\n\x0c             Revised Procedures Preceded Significant Increases in Reports\n             of Potential Disclosure of Personally Identifiable Information\n\n\n\n\n                                                                                   Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine why the IRS experienced an increase\nduring the summer 2009 timeframe in the number of reported incidents where PII may have been\ninappropriately disclosed to third parties.\nTo accomplish our objective, we:\nI.     Interviewed Privacy, Information Protection and Data Security, and Wage and\n       Investment Division senior staff and field staff.\n\nII.    Determined the IRS efforts to identify and report on potential disclosure of PII.\n\nIII.   Determined the changes in policy or workload that may have contributed to the increased\n       number of incidents.\n\nIV.    Determined the number and type of incidents that occurred during calendar year 2009.\n\nV.     Determined other factors that may have contributed to the increased number of incidents.\n\n\n\n\n                                                                                           Page 7\n\x0c            Revised Procedures Preceded Significant Increases in Reports\n            of Potential Disclosure of Personally Identifiable Information\n\n\n\n\n                                                                 Appendix II\n\n               Major Contributors to This Report\n\nKevin Riley, Director\nDamon Plummer, Program Evaluator\n\n\n\n\n                                                                        Page 8\n\x0c             Revised Procedures Preceded Significant Increases in Reports\n             of Potential Disclosure of Personally Identifiable Information\n\n\n\n\n                                                                             Appendix III\n\n                          Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attention: Chief of Staff C\nDeputy Commissioner for Services and Enforcement SE\nCommissioner, Wage and Investment Division SE:W\nDirector, Office of Privacy, Information Protection and Data Security OS:PIPDS\nDirector, Privacy and Information Protection OS:PIPDS:PIP\nDirector, Customer Accounts Services SE:W:CAS\nDirector, Accounts Management SE:W:CAS:AM\nDirector, Submission Processing SE:W:CAS:SP\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\n\n\n\n\n                                                                                    Page 9\n\x0c'